Module 2: Threat Management & Cybersecurity Resources Flashcards
What is the goal of Threat Management?
To take the appropriate steps needed to minimize hostile cyber actions; “what threat can take advantage of a vulnerability to bypass our defenses, & how can we prevent it?”
What is the First Step in Threat Management?
Test the defenses to find any weaknesses
What is Penetration Testing?
Atempts to exploit vulnerabilities just as a threat actor would
How does Penetration Testing help with exposing vulnerabilities?
1) Helps to uncover new vulnerabilties
2) Provides a clear picture of their nature
3) Determines how they could be used against the organization
What does studying Penetration Testing involve?
- Defining what it is & why such a test should be conducted
- Examining who should perform the tests & the rules for engagement
- Knowing how to perform a penetration test
What is the First Step in a pen test?
Planning!
Why conduct a pen test, as opposed to a scan?
While a scan of network defense can help find vulnerabilities, the type of vulnerabilities revealed is different from a pen test
- Scan usually only finds surface problems to be addressed
- Many scans ar entirely automated & provide only a limited verification of any discovered vulnerabilities, while a pen test can find deep vulnerabilities
What are pros & cons or hiring Internal Employess to perform pen testing?
Pros:
- There is little or no additional cost
- The test can be conducted much more quickly
- An in-house pen test can be used to enhance the training of employees & raise the awareness of security risks
Cons:
- Inside Knowledge - would have an in-depth knowledge of the network & devices (threat actors would not have the same knowledge)
- Lack of Expertise - employees may not have the credentials needed to perform a pen test
- Reluctance to Reval - may be reluctant to reveal a vunerability discovered in a network or system that they or a fellow employee has been charged w/ protecting
Who is on the Red Team & what do they do?
Role: Attackers
Duties: Scans for vulnerabilities & then exploits them
Explanation: Has prior & in-depth knowledge of existing security, which may provide an unfair advantage
Who is on the Blue Team & what do they do?
Role: Defenders
Duties: Monitors for Red Team attacks & shores up defenses as necessary
Explanation: Scans log files, traffic analysis, & other data to look for signs of an attack
Who is on the White Team & what do they do?
Role: Referees
Duties: Enforces the rules of the penetration testing
Explanation: Makes note of the Blue Team’s responses & Red Team’s attacks
Who is on the Purple Team & what do they do?
Role: Bridge
Duties: Provides real-time feedback b/t the Red & Blue Teams to enhance the testing
Explanation: The Blue Team receives information that can be used to prioritize & improve their ability to detect attacks while the Red Team learned more about technologies & mechanisms used in the defense
What are the advantages & disadvantages of hiring an External Pen Testing Consultant?
Pros:
1) Expertise
2) Credentials
3) Experience
4) Focus
Cons:
1) May receive extremely sensitive information about systems & how to access them
2) This knowledge could be sold to a competitor
What are the Penetration Testing Levels?
1) Black Box
2) Gray Box
3) White Box
Describe the Black Box pen testing level?
Testers have no knowledge of the network & no special privileges
Task: Attempt to penetrate network
Pro: Emulate exactly what a threat actor would do & see
Con: If testers cannot penetrate the network, then no test can occur
Describe the Gray Box pen testing level?
Testers are given limited knowledge of the network & some elevated privileges
Task: Focus on systems w/ the greatest risk & value to the organization
Pro: More efficiently assess security instead of spending time trying to compromise the network & then determining which systems to attack
Con: This head start does not allow testers to truly emulate what a threat actor may do
Describe the White Box pen testing level?
Testers are given full knowledge of the network & the source code of applications
Task: Identify potential points of weakness
Pro: Focus directly on systems to test for penetration
Con: This approach does not provide a full picture of the network’s vulnerabilities
What are the Advantages of Crowdsourced pen tester?
- Fast testing, resulting in quicker remediation of vulnerabilities
- Ability to rotate teams so different individuals test the syste m
- Option of conducting multiple pen tests simultaneously
What are the Rules of Engagement?
Pen testing’s limitations or parameters
What happens to a pen test if there are no parameters?
W/o parameters, a pen test can easily veer of course & not accomplish the desired results, take too long to produce timely results, or test assets that are not necessary to test
What are the Categories for Rules of Engagement (7)?
1) Timing
2) Scope
3) Authorization
4) Exploitation
5) Communication
6) Cleanup
7) Reporting
What is the Timing Category for ROE?
- The timing parameter sets when the testing will occur
- Some considerations include: the start & stop dates of the test & should the action portions of the pen test be conducted during normal business hours; or if a vulnerability requires immediate attention
o Could cause unforeseen interruptions to normal activities
o After business hours or only on weekends
What is the Scope Category for ROE?
- Scope is what should be tested
- involves several elements that define the relevant test boundaries
- Environment (live production)
- Internal Targets (must be clearly identified for external 3rd-party gray box test or white box test)
- External Targets (testing a service or app hosted by a 3rd-party)
- Target Locations (r/t laws among states, provinces, & countries)
- Other Boundaries (additional to tech boundaries - physical security? limiting targets? limits spear phishing messages?)
What is the Authorization Category for ROE?
- Authorization is the receipt of prior written approval to conduct the pen test
o A formal written document must be signed by all parties before a pen test begins
What is the Exploitation Category for ROE?
- The exploitation level is a pen test should be part of the scope that is discussed in the planning stages
What is the Communication Category for ROE?
- Pen tester should communicate w/ the organization during the following occasions:
o Initiation – once started, organization should be notified that the process has begun
o Incident Response – critical gap in security structure has been identified if pen tester can complete initial vulnerability assessment w/o triggering the organization’s incident response mechanism
o Status – provide periodic status reports instead of waiting until pen test is completed
o Emergency – critical vulnerability should immediately be reported to organization’s management while pen test is paused
What is the Cleanup Category of the ROE?
- Pen tester must ensure that everything r/t pen test has been removed
- Should be clearly outlined in the rules of engagement
- Cleanup involves removing all software agents, scripts, executable binaries, temporary files, & backdoors from all affected systems
- Any credentials that were changed should be restored & any usernames created should be removed
What is the Cleanup Category of the ROE?
- Once the pen test is completed, a report should be generated to document its objectives, methods used, & results
- The report should be divided into two parts based on 2 separate audiences:
o 1) Executive summary - designed for a less technical audience
o 2) A more technical summary written for security professionals
What are the 2 Phases of Performing a Pen Test?
1) Reconncaissance
2) Penetration
What happens during the Reconnaissance Phase of Penetration Testing?
- First task is of black box & gray box tester is to perform preliminary information gathering from outside the organization (called footprinting)
- Information can be gathered using 2 methods:
o 1) Active Reconnaissance – involves directly probing for vulnerabilities & useful information
War driving – searching for wireless signals from an
automobile or on foot while using a portable device
o 2) Passive Reconnaissance – tester uses tools that do not raise any alarms
May include searching online for publicly accessible information called open source intelligence (OSINT) that can reveal valuable insight about the system
What is Footprinting?
Perform preliminary information gathering from outside the organization
What is the 2nd Phase of Penetration Testing?
Penetration!
Pen test is intended to simulate the actions of a threat actor
* “What do threat actors do when they uncover a vulnerability through reconnaissance?”
What are the steps of Penetration during the 2nd Phase of Pen Testing?
1) Threat actors first conduct reconnaissance against the systems, looking for vulnerabilities.
2) When a path to a vulnerability is exposed, they gain access to the system through the vulnerability.
3) Once initial access is gained, threat actors attempt to escalate to more advanced resources that are normally protected from an app or user (privilege escalation)
4) W/ the advanced privileges, threat actors tunnel through the network looking for additional systems they can access from their elevated position (lateral movement)
5) Threat actors install tools on the compromised systems to gain even deeper access to the network.
6) Threat actors may install a backdoor that allows them repeated & long-term access to the system in the future. The backdoors are not r/t the initial vulnerability, so access remains even if the initial vulnerability is corrected.
7) Once the backdoor is installed, threat actors can continue to probe until they find their ultimate target & perform their intended malicious action, such as stealing (Researcher & Development) R&D information, password files, or customer credit cards.
What lessons are to be learned about how threat actors work during pen testing?
o When a vulnerability is discovered, the work is not finished
o Pen tester must determine how to pivot (turn) to another system using another vulnerability to continue moving toward the target
o Vulnerabilities that are not part of the ultimate target can still provide a gateway to the target
No vulnerability is insignificant
o Pen tests are manual; therefore, a pen tester needs to design attacks carefully
o Pen testers must be patient & persistent, just like the threat actors
What is a Vulnerability Scan?
A frequent & ongoing process that continuously identifies vulnerabilities & monitors cybersecurity progress (new car)
Cyclical process of ongoing scanning & continuous monitoring to reduce the attack surface
Conducting a vulnerability scan involves?
o Knowing what to scan & how often
o Selecting a type of scan &
o Interpreting vulnerability information
What are 2 primary reasons for not conducting around-the-clock vulnerability scans?
Workflow interruptions
Technical constraints
What are the types of Vulnerability Scans?
1) Credentialed Scan
2) Non-credentialed scan
3) Intrusive scan
4) Nonintrusive scan
How are a Credentialed & Non-credentialed scan different?
Credentialed Scan -
* Valid authentication credentials are supplied to the vulnerability scanner to mimic the work of a threat actor who possesses these credentials
o Ex: usernames & passwords
2) Non-credentialed Scan –
* Provides no such authentication information
How are an Intrusive scan & Nonintrusive scan different?
Intrusive Scan –
* Attempts to employ any vulnerabilities that it finds, like a threat actor would
2) Nonintrusive Scan –
* Does not attempt to exploit the vulnerability but only records that it was discovered
What is Mitre Common Vulnerabilities and Exposure (CVE)?
Identifies vulnerabilities in operating systems & application software
o Most popular vulnerability feed
What is the Common Vulnerability Scoring System (CVSS)?
Numerical score generated using a complex formula that considers variables such as the access vector, attack complexity, authentication, confidentiality of the data, & the system’s integrity & availability
o Vulnerabilities with the highest CVSS scores are generally considered to require early attention
o The vulnerabilities w/ the higher CVSS scores may not always be the ones that should be addressed first
o Look at the scores & the entire vulnerability scan in the context of the organization
What are the 2 Data Management Tools used for collecting & analyzing this data?
1) Security Information and Event Management (SIEM) -
* Consolidates real-time security monitoring & management of security information w/ analysis & reporting of security events
* Product can be a separate device, software that runs on a computer, or even a service provided by a third party
2) Security Orchestration, Automation, and Response (SOAR)
* Similar to SIEM in that it is designed to help security teams manage & respond to very high # of security warnings & alarms
* However, SOARs combine more comprehensive data gathering & analytics in order to automate incident response
What are the 6 features does SIEM have?
1) Aggregation
2) Correlation
3) Automated alerting & triggers
4) Time synchronization
5) Event duplication
6) Logs
